拒绝直接访问除index.php之外的所有.php文件
[英]Deny direct access to all .php files except index.php
问题描述
I want to deny direct access to all .php files except one: index.php 
我想拒绝直接访问所有.php文件,除了一个: index.php
The only access to the other .php files should be through php include . 对其他.php文件的唯一访问应该是通过php include 。
If possible I want all files in the same folder. 如果可能,我希望所有文件都在同一个文件夹中。
UPDATE: 更新:
A general rule would be nice, so I don't need to go through all files. 一般规则会很好,所以我不需要浏览所有文件。 The risk is that I forget a file or line. 风险是我忘记了文件或行。
UPDATE 2: 更新2:
The index.php is in a folder www.myadress.com/myfolder/index.php index.php位于www.myadress.com/myfolder/index.php文件夹中
I want to deny access to all .php files in myfolder and subfolders to that folder. 我想拒绝访问myfolder和子文件夹中的所有.php文件到该文件夹。
13 个解决方案
解决方案1
104 2009-08-27 09:59:22
Are you sure, you want to do that? 你确定,你想这样做吗? Even css and js files and images and ...? 甚至css和js文件和图像......?
OK, first check if mod_access in installed to apache, then add the following to your .htaccess: 好的,首先检查是否已将mod_access安装到apache中,然后将以下内容添加到.htaccess:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
The first directive forbids access to any files except from localhost, because of Order Deny,Allow , Allow gets applied later, the second directive only affects index.php. 第一个指令禁止访问除localhost之外的任何文件,因为Order Deny,Allow ,Allow稍后应用,第二个指令只影响index.php。
Caveat: No space after the comma in the Order line. 警告:订单行中逗号后面没有空格。
To allow access to files matching *.css or *.js use this directive: 要允许访问与* .css或* .js匹配的文件,请使用以下指令:
<FilesMatch ".*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
You cannot use directives for <Location> or <Directory> inside .htaccess files, though. 但是,您不能在.htaccess文件中使用<Location>或<Directory>指令。
Your option would be to use <FilesMatch ".*\\.php$"> around the first allow,deny group and then explicitely allow access to index.php. 您的选择是在第一个允许,拒绝组周围使用<FilesMatch ".*\\.php$"> ,然后明确允许访问index.php。
Update for Apache 2.4: This answer is correct for Apache 2.2. Apache 2.4的更新:这个答案适用于Apache 2.2。 In Apache 2.4 the access control paradigm has changed, and the correct syntax is to use Require all denied . 在Apache 2.4中, 访问控制范例已经改变,正确的语法是使用Require all denied 。
解决方案2
80 2012-07-29 17:23:54
Actually, I came here with the same question as the creator of the topic, but none of the solutions given were a complete answer to my problem. 实际上,我带着与该主题的创建者相同的问题来到这里,但所给出的解决方案都不是我问题的完整答案。 Why adding a code to ALL the files on your server when you could simply configure it once ? 为什么只需配置一次代码就可以为服务器上的所有文件添加代码? The closest one was Residuum's one, but still, he was excluding ALL files, when I wanted to exclude only php files that weren't named index.php. 最接近的是Residuum的一个,但是,当我想排除那些未命名为index.php的php文件时,他仍然排除了所有文件。
So I came up with a .htaccess containing this : 所以我想出了一个包含这个的.htaccess:
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
(Remember, htaccess files are working recursively, so it suits perfectly the prerequisite of the question.) (请记住,htaccess文件是递归工作的,所以它完全适合问题的先决条件。)
And here we go. 现在我们开始。 The only php files that will be accessible for an user will be the ones named index.php. 用户可以访问的唯一php文件将是名为index.php的文件。 But you can still acces to every image, css stylesheet, js script, etc. 但您仍然可以访问每个图像,css样式表,js脚本等。
解决方案3
34 2009-10-22 14:22:28
An oblique answer to the question is to write all the code as classes, apart from the index.php files, which are then the only points of entry. 这个问题的一个倾斜的答案是将所有代码写为类,除了index.php文件,这是唯一的入口点。 PHP files that contain classes will not cause anything to happen, even if they are invoked directly through Apache. 包含类的PHP文件不会导致任何事情发生,即使它们是通过Apache直接调用的。
A direct answer is to include the following in .htaccess: 直接的答案是在.htaccess中包含以下内容:
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "index[0-9]?\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
This will allow any file like index.php, index2.php etc to be accessed, but will refuse access of any kind to other .php files. 这将允许访问任何文件,如index.php,index2.php等,但将拒绝任何类型的访问其他.php文件。 It will not affect other file types. 它不会影响其他文件类型。
解决方案4
16 2009-08-27 09:53:03
You can try defining a constant in index.php and add something like 你可以尝试在index.php定义一个常量并添加类似的东西
if (!defined("YOUR_CONSTANT")) die('No direct access');
to the beginning of the other files. 到其他文件的开头。
OR, you can use mod_rewrite and redirect requests to index.php, editing .htaccess like this: 或者,您可以使用mod_rewrite和重定向请求到index.php,编辑.htaccess如下所示:
RewriteEngine on
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ /index.php/$1 [L,R=301]
Then you should be able to analyze all incoming requests in the index.php and take according actions. 然后,您应该能够分析index.php中的所有传入请求并采取相应的操作。
If you want to leave out all *.jpg, *.gif, *.css and *.png files, for example, then you should edit second line like this: 例如,如果你想省略所有* .jpg,* .gif,* .css和* .png文件,那么你应该像这样编辑第二行:
RewriteCond $1 !^(index\.php|*\.jpg|*\.gif|*\.css|*\.png)
解决方案5
11 2009-08-27 10:50:38
How about keeping all .php-files except for index.php above the web root? 除了在web根目录之上的index.php之外,保留所有.php文件怎么样? No need for any rewrite rules or programmatic kludges. 无需任何重写规则或程序化的kludges。
Adding the includes-folder to your include path will then help to keep things simple, no need to use absolute paths etc. 将includes-folder添加到include路径将有助于简化操作,无需使用绝对路径等。
解决方案6
6 2013-02-12 09:41:47
URL rewriting could be used to map a URL to .php files. URL重写可用于将URL映射到.php文件。 The following rules can identify whether a .php request was made directly or it was re-written. 以下规则可以识别.php请求是直接发出还是重写。 It forbids the request in the first case: 它在第一种情况下禁止请求:
RewriteEngine On
RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ]
RewriteRule \.php$ - [F]
RewriteRule test index.php
These rules will forbid all requests that end with .php . 这些规则将禁止以.php结尾的所有请求。 However, URLs such as / (which fires index.php), /test (which rewrites to index.php) and /test?f=index.php (which contains index.php in querystring) are still allowed. 但是,仍然允许使用/ (触发index.php), /test (重写为index.php)和/test?f=index.php (其中包含querystring中的index.php)等/test?f=index.php 。
THE_REQUEST contains the full HTTP request line sent by the browser to the server (eg, GET /index.php?foo=bar HTTP/1.1 ) THE_REQUEST包含浏览器发送到服务器的完整HTTP请求行(例如, GET /index.php?foo=bar HTTP/1.1 )
解决方案7
2 2013-05-22 12:18:42
Instead of passing a variable around I do this which is self-contained at the top of any page you don't want direct access to, this should still be paired with .htaccess rules but I feel safer knowing there is a fail-safe if htaccess ever gets messes up. 我没有传递一个变量,而是在你不想直接访问的任何页面的顶部自行包含这个变量,这应该仍然与.htaccess规则配对,但我知道如果有一个故障安全,我会感到更安全。 htaccess永远搞砸了。
<?php
// Security check: Deny direct file access; must be loaded through index
if (count(get_included_files()) == 1) {
header("Location: index.php"); // Send to index
die("403"); // Must include to stop PHP from continuing
}
?>
解决方案8
1 2016-03-01 00:04:17
With Apache 2.4, the syntax for access control has changed. 使用Apache 2.4,访问控制的语法已经改变。 If using directives like: 如果使用如下指令:
Order deny,allow
Deny from all
does not work, you're likely using Apache 2.4. 不起作用,你可能使用Apache 2.4。
The Apache 2.4 docs are here . Apache 2.4文档就在这里 。
You need to use Require all denied in one of these ways: 您需要以下列方式之一使用Require all denied :
# you can do it this way (with "not match")
<FilesMatch ^((?!index\.php).)*$>
Require all denied
</FilesMatch>
# or
Require all denied
<Files index.php>
Require all granted
</Files>
解决方案9
1 2012-03-24 08:21:25
An easy solution is to rename all non-index.php files to .inc, then deny access to *.inc files. 一个简单的解决方案是将所有非index.php文件重命名为.inc,然后拒绝访问* .inc文件。 I use this in a lot of my projects and it works perfectly fine. 我在很多项目中都使用它,它的工作原理非常好。
解决方案10
0 2013-07-18 03:54:45
place all files in one folder. 将所有文件放在一个文件夹中。 place a .htaccess file in that folder and give it the value deny all. 将.htaccess文件放在该文件夹中,并为其赋予值deny all。 then in index.php thats placed outside of the folder have it echo out the right pages based on user input or event 然后在index.php中放置在文件夹之外的文件让它根据用户输入或事件回显出正确的页面
解决方案11
-1 2015-12-09 09:49:31
<Files ~ "^.*\.([Pp][Hh][Pp])">
Order allow,deny
Deny from all
Satisfy All
</Files>
解决方案12
-2 2013-06-12 16:49:31
Allow only 2 ip , all other will block 只允许2个ip,所有其他将阻止
Order Deny,Allow
Deny from all
Allow from 173.11.227.73 108.222.245.179
解决方案13
-52 已采纳 2009-08-27 09:57:57
In index.php, add an access value like this: 在index.php中,添加如下访问值:
$access = 'my_value';
In every other file, include this check before even a single byte is echoed out by php: 在每个其他文件中,包括此检查甚至在php回显单个字节之前:
if(empty($access)) {
header("location:index.php");
die();
}
This way, other php files will be accessible only through require / include and not through the url. 这样,其他php文件只能通过require / include而不是url访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.